SaTC: CORE: Small: A Transparent and Customizable Android Container-Based Virtualization Architecture for Dynamic Malware Analysis

SaTC：CORE：Small：用于动态恶意软件分析的透明且可定制的基于 Android 容器的虚拟化架构

• 批准号: 2128703
• 负责人: Jiang Ming
• 金额: $ 50万
• 依托单位: University of Texas at Arlington
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-10-01 至 2023-02-28
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2128703&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Transparent; Customizable

With the success of Android mobile device markets, Android malicious software (malware) threatens billions of smartphone users. Driven by financial profit, malware authors are highly motivated to evade detection and to challenge forensics procedures. In the malware detection/evasion arms race, defenders apply analysis techniques that require a highly controlled environment to collect data about malware actions and gain insights into their intents, while still preventing malware from discovering that it is operating in an analysis environment. The project introduces a novel and customizable malware analysis environment capable of handling evasive Android malware. The software artifacts generated and made publicly available to the open-source community have the potential to revolutionize the way analysts perform forensics tasks, thus protecting smartphone users and their Android devices against cyber-attacks. Furthermore, this project, performed in a Hispanic-serving institution, involves recruitment of students from under-represented groups in computing. This project innovatively applies container-based virtualization to address the long-standing challenge of efficiently analyzing evasive malware. Current Android malware dynamic analysis platforms (i.e., Android emulators and bare-metal machines) have limitations. Powered by the transparent and customizable virtual environment, this out-of-the-box malware analysis approach overcomes existing analysis techniques' limitations and amplifies their benefits. This analysis environment is more resilient against evasive malware than standard Android emulators. Furthermore, the environment is stealthier and provides better flexibility and productivity for analysis than bare-metal machines. The novel Android container architecture has cross-disciplinary contributions: it improves resource utilization, reduces hardware costs, thus advancing automated malware analysis and streamlining the tasks of malware analysts. Moreover, other researchers can develop new techniques to boost more powerful malware analysis methods, such as behavior-based malware clustering and evasive malware detection. The success of this research potentially revolutionizes dynamic malware analysis methods and tips the balance of the malware war toward the defender.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

随着Android移动终端市场的成功，Android恶意软件（恶意软件）威胁着数十亿智能手机用户。在经济利益的驱动下，恶意软件作者有很高的动机来逃避检测和挑战取证程序。在恶意软件检测/规避军备竞赛中，防御者应用分析技术，需要高度受控的环境来收集有关恶意软件操作的数据并深入了解其意图，同时仍然防止恶意软件发现它正在分析环境中运行。该项目引入了一个新颖的和可定制的恶意软件分析环境，能够处理规避Android恶意软件。开源社区生成并公开提供的软件工件有可能彻底改变分析师执行取证任务的方式，从而保护智能手机用户及其Android设备免受网络攻击。 此外，该项目在一个西班牙裔服务机构进行，涉及从计算方面代表性不足的群体中招募学生。该项目创新性地应用基于容器的虚拟化来解决有效分析规避恶意软件的长期挑战。当前的Android恶意软件动态分析平台（即，Android模拟器和裸机）有限制。这种开箱即用的恶意软件分析方法由透明和可定制的虚拟环境提供支持，克服了现有分析技术的局限性，并扩大了其优势。这种分析环境比标准Android模拟器更能抵御规避恶意软件。此外，该环境更隐蔽，并提供比裸机更好的分析灵活性和生产力。新颖的Android容器架构具有跨学科的贡献：它提高了资源利用率，降低了硬件成本，从而推进了自动化恶意软件分析并简化了恶意软件分析师的任务。此外，其他研究人员可以开发新技术来提升更强大的恶意软件分析方法，例如基于行为的恶意软件集群和规避恶意软件检测。这项研究的成功可能会彻底改变动态恶意软件分析方法，并将恶意软件战争的天平向防御者倾斜。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Chosen-Instruction Attack Against Commercial Code Virtualization Obfuscators

• DOI: 10.14722/ndss.2022.24015
• 发表时间: 2022
• 期刊: Proceedings 2022 Network and Distributed System Security Symposium
• 作者: Shijia Li;Chunfu Jia;Pengda Qiu;Qiyuan Chen;Jiang Ming;Debin Gao

PolyCruise: A Cross-Language Dynamic Information Flow Analysis

PolyCruise：跨语言动态信息流分析

• 发表时间: 2022
• 期刊: Proceedings of the 31st USENIX Security Symposium
• 作者: Wen Li, Jiang Ming

One size does not fit all: security hardening of MIPS embedded systems via static binary debloating for shared libraries

• DOI: 10.1145/3503222.3507768
• 发表时间: 2022-02
• 期刊: Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems
• 作者: Haotian Zhang;Mengfei Ren;Yu Lei;Jiang Ming

Towards Transparent and Stealthy Android OS Sandboxing via Customizable Container-Based Virtualization

• DOI: 10.1145/3460120.3484544
• 发表时间: 2021-11
• 期刊: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Wenna Song;Jiang Ming;Lin Jiang;Yi Xiang;Xuanchen Pan;Jianming Fu;Guojun Peng

Intelligent Zigbee Protocol Fuzzing via Constraint-Field Dependency Inference

通过约束场依赖推理进行智能 Zigbee 协议模糊测试

• 发表时间: 2023
• 期刊: In Proceedings of the 28th European Symposium on Research in Computer Security
• 作者: Mengfei Ren;Haotian Zhang;Xiaolei Ren;Jiang Ming;Yu Lei
• 通讯作者: Yu Lei